Saturday, August 30, 2025
Latest:

Threatshub.org sponsored-Post

The Register

AWS catches Russia’s Cozy Bear clawing at Microsoft credentials

TH Author

Amazon today said it disrupted an intel-gathering attempt by Russia’s APT29 to trick Microsoft users into unwittingly granting the Kremlin-backed cyberspies access to their accounts and data.

APT29, also known as Cozy Bear and Midnght Blizzard, is probably best known for the 2020 SolarWinds hack, and has been widely linked to Russia’s Foreign Intelligence Service (SVR) by the US, UK, and other governments and security researchers. And this particular bear has developed a taste for Microsoft data and user credentials over the years.

In its most recent watering hole campaign, the attackers compromised legitimate websites and injected malicious JavaScript code that redirected about 10 percent of visitors to actor-controlled domains. 

The domains included findcloudflare[.]com and cloudflare[.]redirectpartners[.]com, which were intended to mimic legit Cloudflare verification pages. The goal was to trick people trying to log into their Microsoft accounts into entering an APT29-generated device code into the sign-in page, thus authorizing attacker-controlled devices and ultimately granting the Russian spies access to the victims’ Microsoft accounts and data. 

“This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts,” Amazon’s Chief Information Security Officer CJ Moses said in a Friday blog post.

Moses added that no AWS systems were compromised, nor was there any direct impact on AWS services or infrastructure.

AWS also analyzed the code to find the methods APT29 used to evade detection. These included using randomization to only redirect a small percentage of visitors, employing base64 encoding to hide malicious code, setting cookies to prevent repeated redirects of the same visitor, and then pivoting to new infrastructure when blocked.

Neither Amazon nor Microsoft immediately responded to The Register‘s inquiries about the size of this campaign, whether it targeted specific groups or industry sectors, and if it remained ongoing. 

It follows a similar attempt by the same Russian spy crew from October 2024, during which they attempted to use domains impersonating AWS and Microsoft to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. These attacks, according to Microsoft, targeted governments, NGOs, academia, and defense organizations.

Earlier this summer, Google’s Threat Intelligence Group documented APT29’s phishing campaigns also targeting academics and critics of Russia using application-specific passwords. ®

READ MORE HERE